Risk, its perception and building consensus

Normal and abnormal operation conditions of a fuel management system as well as design basis accidents are demonstrated to be safe in the criticality safety analysis. Beyond design basis events should be assessed based on risk techniques.

The experience accumulated to-date in the field of fuel assembly handling shows that no criticality event has occurred. Given the high number of fuel assemblies handled every year, that means that the criticality risk has remained limited using the current safety analysis approach. Introduction of BUC may introduce additional local hazards such as the need to rely on knowledge of reactor operating conditions, complex calculational methodologies, operator control, additional measurement checks, etc. This may result in an increased risk that the actual neutron multiplication factor keff of the system exceeds the upper limit klimit, (cf. Section 3.3.) because:

• The criticality safety analysis of the system might be not bounding with respect to the reactor operation conditions,

• The validation of the calculational methods applied might be insufficient or unsuitable,

• The data from the reactor records might be erroneous,

• The assignment of the reactor record information to the fuel identification might be wrong, or

• A misloading event might occur and remain undetected.

Thus, the actual safety margin of the system may be smaller than the regulatory safety margin

limit

SM 1 k

k = −

∆ , given by equation (2). From that the conclusion might be drawn that the system has the potential of being less safe under the burnup assumption than under the fresh fuel assumption.

Based on such considerations, certain reluctance to BUC implementation has been detected in the past in regulators and other stakeholders. The improvement of the knowledge in the BUC implementation field during the past ten years, including the adoption of advanced calculational techniques, and the experience gained, have provided a solid base to modify this perception.

Of course, a risk analysis of BUC implementation compared with the risk obtained using the fresh fuel assumption would most probably show an increase in risk, because of the reduction in the actually available margin to the critical condition due to the reduction in analysis conservatism. In most regulations, that increase in risk has to be demonstrated to be overweighed by the risk improvement that the BUC implementation can provide in areas other than criticality safety. Thus, the benefits of introducing BUC should be identified and when possible quantified. These may include reduced operator dose, lower transport movements, less environmental impact, lower waste arising, economic advantages etc. A balance of risk arguments should be produced and preferably quantified, to demonstrate that, overall, the advantages outweigh the disadvantages when viewed from global perspective. In other words, an integral risk analysis of the spent fuel management facility or system should be preformed in order to demonstrate that there is an overall improvement.

A direct example of the above is provided by BUC implementation in transport cask design.

The increase in cask capacity provided by the use of BUC would allow for a reduction in the number of fuel shipments needed. On top of reducing the dose to workers and the public, the reduction in the number of shipments would mean a similar decrease in the frequency of transportation accidents, hence reducing the criticality risk associated to those scenarios. Risk improvements in these fields might be demonstrated to provide an overall reduction in the risk in case of implementing BUC.

As already mentioned above, there are some items or events associated to BUC implementation that do not apply to criticality safety analysis made using the fresh fuel assumption:

• Errors in the analyst’s judgment (analysis not bounding, insufficient validation),

• Systematic errors in the burnup information (erroneous data from the reactor records),

• Fuel misloading (misloading event).

3.3.4.1 Errors in the analyst’s judgment

From the analytic point of view, the main difference between a BUC analysis and a traditional analysis lies in its complexity. The need for a depletion calculation heavily increases the number of parameters that need to be considered in the analysis. Most of them are operation conditions of the fuel, which sometimes are not so easy to know in detail. The analyst’s judgment to determine the parameter range that covers all the operation conditions (bounding approach) becomes then crucial, and should be exercised with care to avoid underestimation of the reactivity.

The proof that the approach made is really bounding must include sufficient validation of the isotopic inventory used and the criticality calculation code applied. The fact that there is no critical or sub-critical experiment using commercial spent fuel in a configuration of interest (e.g. cask configuration) is certainly one of the main reasons why, to date, the application of the actinide plus fission product BUC level is restricted to PWR wet storage ponds

3.3.4.2 Systematic errors in the burnup information

As already stated above, in many cases the burnup value of each fuel assembly is determined using information from the reactor records. As this information is generated using both measurements of the power distribution and reference core power distribution calculations, it

has already occurred that a systematic error is introduced in the process of generating this information. This kind of error might affect the information of a full reload.

3.3.4.3 Fuel misloading

The outcome of a BUC criticality analysis of a spent fuel management system is always a loading criterion the fuel has to comply with in order to be acceptable for inclusion in the system. In most cases this criterion is formulated in the form of a loading curve defining the minimum required burnup as a function of the initial enrichment (cp. Section 3.3.).

A misloading error occurs when a fuel assembly not complying with the burnup and enrichment requirements established by the loading curve of the system is anyway loaded in it.

The probability and the consequences of this event are strongly system-specific. In general terms, in the case of wet storage systems the associated risk might be high, whereas in the case of dry storage or transport the importance of the event is either dependent on the probability of flooding of the cask cavity or determined by the regulatory requirement to consider re-flooding of the cask cavity as a design basis event (cp. Section 3.3.3.2).

The probability of a misloading event can be reduced by imposing different and independent layers of administrative verifications before loading the fuel into the system. However, procedures based on technical measures employing hardware and software controls are preferable to administrative verifications, cp. Section 3.3.3.2.

The administrative verifications and controls have to be aimed to avoid the possibility of

“common mode” errors, which have the possibility to lead to multiple misloadings. Two or more misloading errors do not need to be considered if they can be considered as independent events. However, if the same administrative error can lead to the misloading of more than one fuel assembly, it has to be considered as one event. Since no system designed for BUC application can withstand the misloading of more than one fuel assembly if it cannot withstand the misloading of one fuel assembly, this event needs to be ruled out by administrative controls (i.e. the probability of this event has to be reduced such that this event needs not to be considered as a design basis event).

As already described in Section 3.3.3.2, a different approach is used in some countries, in which the misloading event has to be excluded by application of the double contingency principle. The interpretation of the principle in this case is that two independent, unlikely and concurrent incidents have to happen before a misloading event can occur. With this philosophy, the misloading event is ruled out and needs not to be considered in the analysis.

In those cases in which the misloading scenario is not ruled out, if the event really does occur, there is a high probability of the error remaining undetected. That raises questions about whether or not the double contingency principle may be applied to the misloading event and a different design basis event that may take place at a later time. As mentioned in Section 3.3.3.2, in some countries it is decided that a misloading event, that remains undetected, and any other design basis event, that takes place at a later time, cannot be regarded as “concurrent events”, so that the double contingency principle is not applicable to these events.